@joulester The short version is it just worked. Especially if you don't need the certificate part, it just works. To give me an idea how to be more helpful than just saying it works, is there a step you have a question about?

@valepe69 Fixed.
Having a Multi-WAN configuration all was screwed up by the bug of the 2.5.1 release.
Reloaded the 2.5.0 and the same configuration works great.

@piba

I have a question about the 503 error page.

If somebody is accessing my WAN IP adress (e.g. https://67.46.29.83:443) instead of my domain name, HAproxy shows a 503 error page, Is this normal behaviour of HAproxy?

If so, this is nice because I want to block access to WAN ip, but is it also possible to modify the header and content of the 503 page?

@vijay7 How are you doing the upload blocking?

@rupesh

According to the hint written in the IP Alias creation form, it does.

Hint : Enter as many hosts as desired. Hosts must be specified by their IP address or fully qualified domain name (FQDN). FQDN hostnames are periodically re-resolved and updated. If multiple IPs are returned by a DNS query, all are used. An IP range such as 192.168.1.1-192.168.1.10 or a small subnet such as 192.168.1.16/28 may also be entered and a list of individual IP addresses will be generated.

The thing is, when re-doing the DNS resolution, pfSense may be fooled by a DNS cache. If it probes a DNS that has the old record in cache and does not re-probe the SOA, the new IP will not be detected. As such, the delay after an IP address changed is :
--Time for the client to update its records (can be as quick as instant or longer)
--Time for the previous record to be purged from the cache in the DNS server probed by pfSense
--Time for pfSense to renew the IP alias

After all of these delays, then the alias will be updated. It can be very long, some DNS cache may last for 30 days, but at a certain moment, it will happen.

Regards,

@piba thankyou piba, you are a savior.

Ok after playing around with it and clearing the states a few times a rebooting it seems to be working now. Will see if the issue happens again

@TGill,

HAProxy is testing over HTTP/1.0 while your curl is using HTTP/1.1. That may very well be the difference between the two tests and the two results.

You can try something like
HTTP/1.1\r\nHost:\ hostname.domain.lan

in the "Http check version" box in your backend's configuration.

@kom That did the trick! I knew it was something simple I was overlooking. Thanks for the help!

@clarence
I'm glad I found your post, maybe you can help me too.
I also use Dynu.com and am trying to setup SSL from Let's Encrypt but I can't get it to work and I'm thinking it has to do with authentication through Dynu.

I have one static IP address and want to be able to host 2 or 3 websites, all public.
I also like to watch Tom's videos at Lawrence Systems and watched the video you linked before I got started but it wasn't clear enough for me. I found this video which walks the way through the creation of the setup.
https://www.youtube.com/watch?v=FWodNSZXcXs

Now I setup essentially the same configuration he put together. In Acme I created 1 wildcard cert from Let's Encrypt for my domain and one specific to one of the websites. They all completed successfully. His setup worked mine didn't. So I did more searching and found your post here.

I did not know CAAs had to be created so I just added them to my Dynu DNS records.
I also added your suggestion for the added security settings to my setup.
Still my websites will connect through HAproxy but they still show "Not Secure".

You mentioned you had to create txt records. What are they and where do they go? What infomation needs to be in them? Is this because of the way Dynu works?

Any ideas what I could be missing.